Content Discovery


# Fuzzing Wordlists

# Fuzzing and Content Discovery


# Fuzz non-printable characters in any user input
# Could result in regex bypass, account takeover...
0x00, 0x2F, 0x3A, 0x40, 0x5B, 0x60, 0x7B, 0xFF
%00, %2F, %3A, %40, %5B, %60, %7B, %FF

Scrapping from JS

# You can parse and scrape javascript content in a target website to look for hidden subdomains or interesting paths
# Often, endpoints are not public but users can still interact with them
# Tools like dirscraper automates this (

# Classic
python -u <url>

# Output mode
python -u <url> -o <output>

# Silent mode (you won't see result in term)
python -u <url> -s -o <output>

# Relative URL Extractor is another good tool to scrape from JS files (
ruby extract.rb
# Extract all API endpoints from AngularJS & Angular javascript files
curl -s URL | grep -Po "(\/)((?:[a-zA-Z\-_\:\.0-9\{\}]+))(\/)*((?:[a-zA-Z\-_\:\.0-9\{\}]+))(\/)((?:[a-zA-Z\-_\/\:\.0-9\{\}]+))" | sort -u
# simple script that grep infos from javascript files
python3 -u -n google

# Analyzing one file and HTML output
python -i -o results.html

# CLI/STDOUT output
python -i -o cli

# Analyzing entire domain
python -i -d
# Based on LinkFinder
# Using regular expression to searhc for data like API keys, tokens...

python3 -i -o results.html
python3 -i -o cli
python3 -i -e
python3 -i -e -g 'jquery;bootstrap;'
# subjs fetches javascript files from a list of URLS or subdomains.

$ cat urls.txt | subjs 
$ subjs -i urls.txt
$ cat hosts.txt | gau | subjs

# Check for broken links and domain takeover
# For twitter, TwitterBFTD is great
$ blc -rof --filter-level 3
$ blc -rfoi --exclude --exclude --filter-level 3


$ python3 -u -f -e php,xml,txt -t 10 -w wordpress.fuzz.txt

# getallurls (gau) fetches known URLs from AlienVault's Open Threat Exchange,
# the Wayback Machine, and Common Crawl for any given domain

# It can be used to map and discover new targets (endpoints, domains, subdomains...)

$ printf | gau
$ cat domains.txt | gau
$ gau


# Usage
cat urls.txt | hakrawler

# Example tool chain
echo | haktrails subdomains | httpx | hakrawler